On Tue, 12 Oct 2004, Julien Pierre wrote:
>Yes, there is an NSS 3.3.10, it is a Sun-specific branch, but still
>open-source. You can pull NSS_3_3_BRANCH if interested. This branch
>should not live for too much longer in Sun products, however, as NSS 3.3
>is being replaced with 3.9 .
Ah, good of them to keep up with the times. Any idea when that JES3 will
come out?
>Your key got generated. I believe the default is an RSA keypair.
>
>I haven't used symkeyutil before, but I believe it's for symmetric keys,
>only, and therefore you can't export the RSA key with the -E command
>I see in the code that there may be some defines to allow doing what you
>want anyway if you hack and recompile it.
Unnecessary if pk12util works the way I want it to.
>In particular, I found that the Sun NSS 3.3.x versions didn't implement
>the full cert8 format. Therefore, you shouldn't manipulate DBs from Sun
>product with newer tools (eg. from NSS 3.9) which have the "full" cert8
>format. If you do that, but try to use those databases with Sun products
>still running NSS 3.3.x, then you won't be able to use them. This is why
>Sun officially supports only NSS 3.3.x and recommends against using any
>tools not built by Sun to manipulate cert/key databases of Sun server
>products.
That's about what I'd determined but without that background info, I
couldn't be sure what the expected behavior should have been! ;)
Thanks a million for that NSS_3_3_BRANCH tip. I _finally_ have a pk12util
that works with my Sun JES databases! There are a few rough edges in the
build, but I actually hope no one is interested in taking the time to fix
them. It looks like that branch hasn't been updated in over a year.
>
>You should wait for the official release of Sun products with NSS 3.9,
>JES3, which should be in a couple of months. NSS 3.9 is also already in
>Solaris 10 in the early access builds if you have that.
Sounds good. Thanks!
In case there's someone else in my shoes, though, here's how to get out of
the mud. No more newbies like me should have to endure this search again,
especially after enduring the fatalist, demoralizing responses from Sun
technical support. There is a way!
$ export CVSROOT=:pserver:[EMAIL PROTECTED]:/cvsroot
$ cvs login
password is anonymous
$ cvs co -r NSPRPUB_RELEASE_4_1_2 mozilla/nsprpub
$ cvs co -r NSS_3_3_BRANCH mozilla/security/coreconf
$ cvs co -r DBM_1_6_RTM mozilla/dbm mozilla/security/dbm
$ cvs co -r NSS_3_3_BRANCH mozilla/security/nss
modify mozilla/security/coreconf/ruleset.mk to remove the tab indentation
of the define ... endef lines. GNU make doesn't parse that as intended.
$ cd mozilla/security/nss
no amount of command-line or environment variable tweaking can produce a
satisfactory build environment if you are trying to use a compiler other
than the 'cc' in your PATH. You'll have to export a revised PATH.
$ export PATH=/opt/SUNWspro/bin:${PATH}
nevertheless, I think I went ahead and did what I think was supposed to
work
$ gmake NATIVE_CC=/opt/SUNWspro/bin/cc nss_build_all
The tools end up at cmd/toolname/SunOS5.9_DBG.OBJ/toolname
I really enjoyed the packaing-made-easy of
$ gmake -C pkg/solaris/SUNWtls*/ publish
which sticks pkg directories in ../../dist/SunOS5.9_DBG.OBJ/pkgarchive
Now I can keep PEM copies of my keys and certs by taking advantage of the
functionality of openssl with something like the following.
$ openssl genrsa -out host.key 1024
$ openssl req -new -key host.key -out host.csr
get the cert signed
back up all of the PEM files, then import the key/cert for NSS
$ openssl pkcs12 -export -in host.crt -inkey host.key -out host.p12 -name certname
$ pk12util -i host.p12
Thanks guys! This forum has been loads more help than the documentation
on the web or in the source and certainly more useful than Sun support's
"it can't be done" response.
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
